-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support authentication via Shared Access Signatures (SAS) for Azure artifacts #10297
Comments
@alexdittmann the underlying authentication uses the Azure SDK for Go, and the DefaultAzureCredential in particular. This supports authentication via environment variables, Workload Identity, Managed Identity, or Azure CLI. (See this learn page for more details as well.) This is all enabled by setting You could try to add the SAS token to the endpoint field and set |
I want to clarify that Line 7 in 1322f26
|
It's a pity. We would have used this feature with Azure ManagedIdentity very gladly. This is actually the suggested and easiest way to access storage from kubernetes. |
Ah, it looks like that feature in the Go SDK is still in beta. Not sure if a PR with a beta version of identity would be accepted or not, but it would be a fairly simple change to make if anyone has time to test it out. |
Hi, Thank you and best regards |
Yes, as I wrote in that Slack thread too, extending existing functionality is likely to be accepted. Similarly as I wrote there, the spec etc is still important; I haven't read this issue in much detail to comment. If we externalize artifact plugins (#5862), some may still be "core" plugins that are built-in or more closely maintained. The main "hyperscaler" clouds are the most popular to support, so Azure features certainly welcome. |
Hi @brianloss and @agilgur5 , I am a part of @alexdittmann 's team currently working on a proposal for the support of Azure SAS tokens. Could you please quickly verify one of these approaches as possibly suitable for moving forward with this contribution?
spec:
entrypoint: input-artifact-azure-example
templates:
- name: input-artifact-azure-example
inputs:
artifacts:
- name: my-art
path: /my-artifact
azure:
SASTokenSecret:
name: my-azure-sas-token
key: token For the 2nd and 3rd options, we would need a mechanism to resolve cases where the user provides more than one option (example : setting both |
Hi again @agilgur5, Thank you and best |
Could I get a review here please? @agilgur5 @brianloss |
@kavishdahekar-sap I'm not a committer, but I can take a look. |
Summary
Support authentication via Shared Access Signatures (SAS) for Azure artifacts
Use Cases
With argo v3.4 support for Azure artifacts has been implemented. As far as I understand, the current implementation only supports authentication via Storage Account access keys, but not via Shared Access Signatures (SAS).
I would like to be able to use SAS for authentication, too.
@brianloss Since you worked on this feature, could you confirm that I am right why my assumption? I could not find a way to make it work with SAS tokens. (and thanks btw for implementing it!)
Me/my team would potentially be willing do this contribution.
Message from the maintainers:
Love this enhancement proposal? Give it a 👍. We prioritise the proposals with the most 👍.
The text was updated successfully, but these errors were encountered: